b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 Audit Trails Did Not Comply With Standards\n                      or Fully Support Investigations of\n                 Unauthorized Disclosure of Taxpayer Data\n\n\n\n                                      September 20, 2012\n\n                              Reference Number: 2012-20-099\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.tigta.gov\n\x0c                                                  HIGHLIGHTS\n\n\nAUDIT TRAILS DID NOT COMPLY WITH                     did not adequately identify all auditable events\nSTANDARDS OR FULLY SUPPORT                           and related data elements that were required to\nINVESTIGATIONS OF UNAUTHORIZED                       be captured in the audit trail. Consequently,\nDISCLOSURE OF TAXPAYER DATA                          audit trail logs were missing required data.\n                                                     TIGTA observed application users while\n                                                     transactions were entered on three IRS\nHighlights                                           applications that send audit trails to the Security\n                                                     Audit and Analysis System, the IRS\xe2\x80\x99s audit trail\nFinal Report issued on                               repository system. Multiple audit trail\nSeptember 20, 2012                                   weaknesses were identified as a result of tracing\n                                                     these transactions. The IRS did not adequately\nHighlights of Reference Number: 2012-20-099          validate audit log data that were sent to the\nto the Internal Revenue Service Chief                Security Audit and Analysis System to ensure\nTechnology Officer.                                  that the data necessary to support UNAX\n                                                     investigations are captured. The ESAT office\nIMPACT ON TAXPAYERS                                  did not conduct tests to determine if actions\nAudit trails are a key component of information      taken by users on the system correlated to\ntechnology security and contain a record of          events recorded in the audit trail log or if all\nevents occurring on a computer from system           required elements were being captured.\nand application processes, as well as user           WHAT TIGTA RECOMMENDED\nactivity. The IRS has taken actions to\nimplement an enterprise solution to audit trail      TIGTA recommended that the ESAT office\nweaknesses, but incomplete audit trail data and      improve processes to ensure Audit Plans and\ninconsistent timestamps indicate audit trail         resulting audit trails are accurate, complete, and\nprocesses need improvement. Insufficient audit       compliant with requirements. In addition,\ntrail data hinder investigations of unauthorized     processes to test audit trail data should be\naccess (UNAX) to taxpayer information and IRS        improved, and the Audit Plan template should be\nmanagement\xe2\x80\x99s ability to enforce UNAX policies.       updated to identify the location of information on\n                                                     audit log testing and stakeholder comments and\nWHY TIGTA DID THE AUDIT                              to show ESAT office approval that testing was\nUNAX is prohibited by law. This audit was            sufficient. TIGTA also recommended that\ninitiated to evaluate the IRS\xe2\x80\x99s efforts to           timestamp procedures be clarified and made\nimplement effective UNAX audit trails for            readily available to application owners.\ninformation systems that store and process           In their response, IRS officials stated they\ntaxpayer data. This audit is included in our         agreed with the recommendation to improve\nFiscal Year 2012 Annual Audit Plan and               processes to test audit trail data. The IRS\naddresses the major management challenge of          partially agreed with three recommendations.\nSecurity for Taxpayer Data and Employees.            The IRS did not agree that validation should be\n                                                     completed before final ESAT office approval of\nWHAT TIGTA FOUND\n                                                     Audit Plans, that Audit Plan templates should be\nThe Enterprise Security Audit Trail (ESAT) office    updated to identify the location of information on\nhas taken several actions to implement an            audit log testing and stakeholder comments, or\nenterprise solution to audit trail weaknesses.       that guidance on timestamps needs revision,\nHowever, process improvements are needed to          although they will review timestamp procedures.\nensure audit trails effectively support UNAX\n                                                     TIGTA continues to recommend that the IRS\ninvestigations and IRS management\xe2\x80\x99s ability to\n                                                     formalize a location where test and ESAT\nidentify noncompliant activity and hold\n                                                     validation results can be found, set shorter time\nemployees accountable for UNAX policies.\n                                                     frames to implement the proposed changes,\nAudit Plans, the key planning document to meet       postpone closing audit trail specific weaknesses,\nIRS goals to comply with audit trail standards,      and revise timestamp procedures.\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 20, 2012\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Audit Trails Did Not Comply With Standards or\n                             Fully Support Investigations of Unauthorized Disclosure of Taxpayer\n                             Data (Audit # 201220004)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s efforts to\n implement effective unauthorized access audit trails for information systems that store and\n process taxpayer data. This audit is included in our Fiscal Year 2012 Annual Audit Plan and\n addresses the major management challenge of Security for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the Internal Revenue Service managers affected by the\n report recommendations. Please contact me at (202) 622-6510 if you have questions or Alan\n Duncan, Assistant Inspector General for Audit (Security and Information Technology Services),\n at (202) 622-5894.\n\x0c                         Audit Trails Did Not Comply With Standards or Fully Support\n                         Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          The Enterprise Security Audit Trail Office Has Taken\n          Actions to Implement an Enterprise Solution to Audit\n          Trail Weaknesses .......................................................................................... Page 4\n          Process Improvements Are Needed to Ensure Audit Trails\n          Effectively Support Unauthorized Access Investigations............................. Page 5\n                    Recommendation 1:........................................................ Page 10\n\n                    Recommendations 2 and 3: .............................................. Page 11\n\n                    Recommendation 4:........................................................ Page 12\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 13\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 15\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 16\n          Appendix IV \xe2\x80\x93 Descriptions of Applications................................................ Page 17\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 18\n\x0c        Audit Trails Did Not Comply With Standards or Fully Support\n        Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n\n                       Abbreviations\n\nAMS             Account Management Services\nESAT            Enterprise Security Audit Trail\nIRS             Internal Revenue Service\nMeF             Modernized e-File\nSAAS            Security Audit and Analysis System\nTDS             Transcript Delivery System\nTIGTA           Treasury Inspector General for Tax Administration\nUNAX            Unauthorized Access\n\x0c                     Audit Trails Did Not Comply With Standards or Fully Support\n                     Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n\n                                            Background\n\nThe Internal Revenue Service (IRS) relies extensively on computer systems to carry out the\nresponsibilities of administering the Nation\xe2\x80\x99s tax laws, including processing Federal tax returns\nand collecting Federal taxes. IRS computer systems process hundreds of millions of tax and\ninformation returns and contain tax information for more than 100 million taxpayers. Because of\nthe sensitivity of these data, the IRS must maintain effective information security controls over\nits systems to protect financial and taxpayer information from inadvertent or deliberate misuse,\nimproper disclosure, or destruction.\nAudit trails are a key component of effective information technology security. Audit trails\ncontain a record of events occurring on a computer from system and application processes,1 as\nwell as user activity. In essence, audit trails should provide information as to what events\noccurred, when the events occurred, and who (or what) caused the events. This information can\nallow an organization to reconstruct events, monitor compliance with security policies, identify\nmalicious activity or intrusion, and analyze user and system activity. Maintaining sufficient\naudit trails is critical to establishing accountability,\nparticularly over individual users and their activities.\nThe National Institute of Standards and Technology, the           Maintaining sufficient audit trails\n                                                                     of user activity on computer\nDepartment of the Treasury, and the IRS\xe2\x80\x99s policies and\n                                                                   systems is a critical component\nprocedures contain requirements for the capture, storage,               of information security.\ntransmission, review, and retention of audit trails. These\npolicies and procedures require that audit trails be\nsufficient in detail to facilitate the reconstruction of events if unauthorized activity or a\nmalfunction occurs or is suspected on enterprise-computing assets.\nDue to the sensitive nature of tax return information, Internal Revenue Code Section (\xc2\xa7) 61032\nand the Taxpayer Browsing Protection Act of 19973 require the IRS to detect and monitor the\nunauthorized access (UNAX) and disclosure of taxpayer records. The willful unauthorized\naccess or inspection of taxpayer records is a crime punishable upon conviction by fines, prison\nterms, and termination of employment.\nThe implementation of audit trail solutions has been a challenge for the IRS. In 1997, the IRS\nidentified computer security as a material weakness under the Federal Managers\xe2\x80\x99 Financial\n\n1\n  A system is a set of interdependent computer components that may include software, hardware, and processes. An\napplication is a component of a system and is designed to help the user perform specific tasks, such as accounting\nfunctions or word processing.\n2\n  Internal Revenue Code \xc2\xa7 6103 restricts the disclosure of tax returns and return information.\n3\n  Pub. L. No.105-35, 26 U.S.C. \xc2\xa7\xc2\xa7 7213, 7213A, 7431.\n                                                                                                          Page 1\n\x0c                      Audit Trails Did Not Comply With Standards or Fully Support\n                      Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\nIntegrity Act of 1982.4 The Federal Managers\xe2\x80\x99 Financial Integrity Act requires that each agency\nconduct annual evaluations of its systems of internal accounting and administrative controls, and\nsubmit an annual assurance statement on the status of the agency\xe2\x80\x99s system of management\ncontrols. As part of the evaluations, agency managers identify control areas that can be\nconsidered material weaknesses.5 The IRS\xe2\x80\x99s computer security material weakness included audit\ntrails as one of its nine subsections.6 Audit trails were included as part of the computer security\nmaterial weakness because the IRS was not effectively monitoring key networks and systems to\nidentify unauthorized activities and inappropriate system configurations.\nThe IRS established the Enterprise Security Audit Trail (ESAT) Project Management Office\n(hereafter referred to as the ESAT office) within its Cybersecurity organization in March 2010.\nThe ESAT office\xe2\x80\x99s mission is to resolve the IRS\xe2\x80\x99s audit trail material weakness by managing all\nenterprise audit initiatives and overseeing the deployment of various audit trail solutions that\nmeet the required standards.7 The IRS decided that audit trails for systems that store or process\ntaxpayer data should be sent to the Security Audit and Analysis System (SAAS), where they\ncould be accessed by those responsible for reviewing questionable activities and investigating\npotential UNAX violations. The SAAS is the audit trail repository for both projects in\ndevelopment and existing production applications when taxpayer data are accessed.\nDespite the IRS\xe2\x80\x99s requirement that employees complete UNAX awareness training annually,\nwhich emphasizes that accessing taxpayer information without a business justification is a\nsecurity violation, the Treasury Inspector General for Tax Administration (TIGTA) Office of\nInvestigations investigates an average of nearly 400 UNAX violations each year. The TIGTA\nOffice of Investigations uses various sources of information to detect potential unauthorized\naccesses to tax return information including audit trails generated by the Integrated Data\nRetrieval System, the Modernized e-File (MeF) system, the Transcript Delivery System (TDS),\nand the Account Management Services (AMS).8\n\n\n\n4\n  31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, 3512 (2000).\n5\n  The Department of the Treasury has defined a material weakness as, \xe2\x80\x9cshortcomings in operations or systems\nwhich, among other things, severely impair or threaten the organization\xe2\x80\x99s ability to accomplish its mission or to\nprepare timely, accurate financial statements or reports.\xe2\x80\x9d\n6\n  The nine subsections of the computer security material weakness are: 1) network access controls, 2) system and\napplication access controls, 3) system software configuration, 4) security roles and responsibilities, 5) separation of\nduties, 6) contingency planning, 7) audit trails, 8) security-related training, and 9) certification and accreditation.\nThe IRS has completed actions to remediate the separation of duties, training, and certification and accreditation\nsubsections.\n7\n  Similar functions were carried out by a predecessor organization called the Computer Security Audit Trail\norganization established in 2008.\n8\n  The Integrated Data Retrieval System is an IRS computer system capable of retrieving or updating stored\ninformation. It works in conjunction with a taxpayer\xe2\x80\x99s account records. See Appendix IV for a description of the\nMeF system, the TDS, and the AMS. These applications send audit trails to the SAAS, but only Integrated Data\nRetrieval System audit trails are complete in the SAAS.\n                                                                                                                Page 2\n\x0c                     Audit Trails Did Not Comply With Standards or Fully Support\n                     Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\nIn addition, IRS security specialists review daily SAAS audit log reports for suspicious or\nunauthorized activities. If noncompliant activity is found, IRS managers are required to initiate\ndisciplinary actions. Making sure that systems capture required events accurately and\ncompletely in the SAAS is critical to the resolution of the audit trail material weakness, adequate\nUNAX detection efforts, and IRS management\xe2\x80\x99s ability to enforce UNAX policies.\nThis review was performed at the Modernization and Information Technology Services9\norganization Office of Cybersecurity in New Carrollton, Maryland, during the period\nSeptember 2011 through May 2012. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objective.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n\n\n\n9\n  On July 1, 2012, the Modernization and Information Technology Services organization changed its name to the\nInformation Technology organization.\n                                                                                                         Page 3\n\x0c                       Audit Trails Did Not Comply With Standards or Fully Support\n                       Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n\n                                        Results of Review\n\nThe ESAT office has taken actions to implement the SAAS as the enterprise solution to address\naudit trail weaknesses. However, its actions did not result in a process that was effective in\nsupporting UNAX investigations. As a result, UNAX investigations may be difficult or\nimpossible to accomplish using the SAAS, the stated enterprise solution. Without the audit data\nneeded to complete UNAX investigations, IRS management may be unable to identify or\nsubstantiate noncompliant activity, or hold employees accountable to UNAX policies.\nAdditionally, the IRS should not rely on the SAAS to address the computer security material\nweakness related to audit trails until improvements have been made to better capture key audit\ntrail data.\n\nThe Enterprise Security Audit Trail Office Has Taken Actions to\nImplement an Enterprise Solution to Audit Trail Weaknesses\nThe ESAT office has been instrumental in helping application owners produce plans to\nimplement audit trail policies and procedures. It has developed an Audit Plan template to ensure\nthat policies and procedures are considered when decisions are made as to which information\nshould be captured for audit trails. It also has acted as a facilitator and resource to application\nowners as they develop the Audit Plans. In addition, the ESAT office has been receptive to\nstakeholder input from the TIGTA Office of Investigations about potential changes that should\nbe made to the process. For example, based on TIGTA Office of Investigations\xe2\x80\x99 input, the\nESAT office added requirements to the Internal Revenue Manual10 that improved audit trails,\nenhanced educational efforts to application owners on what constitutes auditable events, and\nmore frequently sought stakeholder input during Audit Plan formation that resulted in better\nplans.\nAudit Plans, which contain critical audit trail details, such as which events and data elements are\nused by an application, are the most important document to ensure that audit trail standards are\nmet and all the required information is captured. IRS policy states that every interaction with\ntaxpayer information through an application is an auditable event. Application owners are\ndirected to document the following audit trail information in their Audit Plans.\n       \xef\x82\xb7   What events occurred (e.g., add, delete, modify, or research).\n       \xef\x82\xb7   When the events occurred (i.e., timestamp).\n       \xef\x82\xb7   Who (or what) caused the events.\n\n10\n     Internal Revenue Manual 10.8.3, Information Technology Security, Audit Logging Security Standards.\n                                                                                                          Page 4\n\x0c                  Audit Trails Did Not Comply With Standards or Fully Support\n                  Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n   \xef\x82\xb7   Success or failure of the transaction.\n   \xef\x82\xb7   Information related to the taxpayer\xe2\x80\x99s identity, tax form type, and tax period.\n   \xef\x82\xb7   Any supplemental information on specific individuals or transactions requiring additional\n       oversight.\nThe Audit Plan is customized to each individual application and parallels audit trail guidance\nfrom the National Institute of Standards and Technology in Recommended Security Controls for\nFederal Information Systems and Organizations (Special Publication 800-53). Once completed,\nthe ESAT office must approve and sign off on each application\xe2\x80\x99s Audit Plan.\nThe IRS\xe2\x80\x99s goal is that all applications in which taxpayer information is accessed, whether the\napplication is in development or in production, will eventually send audit trails to the SAAS.\nThe ESAT office\xe2\x80\x99s tracking sheet shows that it identified 380 applications that could potentially\ncontain taxpayer information and therefore be required to send audit trails to the SAAS. Because\nsome of those 380 systems will be retired or are subsystems, the ESAT office estimates that\ncurrently 339 applications potentially require an Audit Plan. However, the ESAT office has not\nevaluated whether these applications actually contain taxpayer information and therefore would\nneed to send audit trails to the SAAS. The ESAT office did not know of any other source of\ninformation at the IRS that could provide this determination for these applications. In general,\nthe ESAT office has been prioritizing the completion of Audit Plans for new applications in\ndevelopment and applications included in Federal Information Security Management Act reports.\nESAT officials advised us that they have reviewed and approved 83 application Audit Plans. As\nof March 2012, the SAAS contained audit trail data from 20 applications.\nThe ESAT office has taken additional actions to address SAAS deficiencies and to promote\nacceptable UNAX monitoring. For example, it has recently overseen the addition of three new\ndata fields in the SAAS to improve compliance with audit trail standards and ensure the capture\nof required audit trail data elements.\nDespite these accomplishments, we identified several factors that have hindered the ESAT\noffice\xe2\x80\x99s further progress in making the SAAS an effective enterprise audit trail solution for\nUNAX monitoring and in addressing and resolving the audit trail material weakness.\n\nProcess Improvements Are Needed to Ensure Audit Trails Effectively\nSupport Unauthorized Access Investigations\nAudit Plans, the key planning document to meet the IRS\xe2\x80\x99s goals to comply with audit trail\nstandards, did not adequately identify all auditable events and related data elements that were\nrequired to be captured in the audit trail. Consequently, SAAS data did not include key events\nand data elements in the audit trail. The SAAS data also were not always captured in a usable\nformat, and the timestamp was not consistent. The data were generally collected as anticipated\nin the Audit Plans, but the Audit Plans did not adequately describe all of the data that should\n                                                                                            Page 5\n\x0c                     Audit Trails Did Not Comply With Standards or Fully Support\n                     Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\nhave been collected. These issues may compromise investigations and the IRS\xe2\x80\x99s ability to\neventually close the audit trail subsection of the computer security material weakness.\n\nAudit plans did not include all events and data elements\nWe selected a judgmental sample11 of three applications to review for accuracy and completeness\nof the Audit Plans and SAAS data. An important consideration in our selection was whether the\napplications qualified as meeting the closure criteria for one of the audit trail corrective actions\nfor the computer security material weakness.12 We selected the following applications: the\nAMS, the TDS, and the MeF system. These applications collectively process or store taxpayer\ndata on potentially every taxpayer account.\nTwo of the three Audit Plans we reviewed, although approved by the ESAT office, did not\nidentify all application events that involve access to taxpayer data. For example, the TDS used\nthe same event description for every transaction that occurred. The AMS used four different\nevent descriptions, but they were not sufficient to identify exactly which document had been\naccessed or whether the document was added, deleted, modified, or used for research (viewed).\nThe MeF system Audit Plan identified the key events and had a good description for them.\nSimilarly, the Audit Plans did not specify how all the required data elements would be collected\nfor each event. For example, IRS policies require capturing the type of tax form and the tax\nperiod for each event when taxpayer information is accessed; however, the Audit Plans did not\nspecifically address how these data elements should be captured. A complicating factor was that\nthe SAAS was unable to capture these required data elements as separate fields until\nSeptember 2011. However, they could have been recorded in a large \xe2\x80\x9cvariable\xe2\x80\x9d field that was\navailable to all applications.\nThe description of auditable events in Internal Revenue Manual 10.8.3 and the Audit Plan\ntemplate is unclear. The manual states that when a taxpayer record has been added, deleted,\nmodified, or researched, that event shall be captured and recorded. However, neither the manual\nnor the Audit Plan template provide sufficient details on how to translate application transactions\nto audit trail events or to ensure sufficient events are recorded for each type of transaction.\nESAT officials stated that although they are responsible for oversight of the Audit Plan process\nand the SAAS, they are only facilitators and do not possess the depth of technical knowledge\n\n\n11\n  A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n12\n  The audit trail subsection of the computer material weakness contains 10 corrective actions, one of which required\nthe implementation of an application monitoring capability for at least four applications. In January 2011, the\nSystem Security and Privacy Executive Steering Committee approved closure of this corrective action based on the\nESAT office\xe2\x80\x99s determination that the SAAS was in continuous receipt of security logs for 16 applications, that the\nlogs were retained in accordance with Internal Revenue Manual 10.8.3, that Cybersecurity organization analysts\nwere dedicated on a per application basis to exercise log analysis, and that the analysts were able to generate\nappropriate and useful reports against activities from these applications.\n                                                                                                            Page 6\n\x0c                  Audit Trails Did Not Comply With Standards or Fully Support\n                  Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\nnecessary to assist application owners in the detailed preparation of the Audit Plans. Instead, the\nESAT office relies on the application owner\xe2\x80\x99s resources and expertise to complete the Audit\nPlan. However, the ESAT office has signatory authority and oversight responsibility for the\nAudit Plans. If Audit Plans do not document all the information necessary to ensure that the\nrequired who, what, when, and where is logged, the IRS has no assurance that the SAAS audit\ntrail data will sufficiently log these details.\n\nThe ESAT office did not ensure sufficient testing of audit trail data to validate its\naccuracy and completeness\nThe ESAT Audit Plan process does not include essential steps to adequately validate audit log\ndata to ensure the SAAS is capturing the required elements necessary to support UNAX\ninvestigations. In addition, the results from the limited testing that is performed are not recorded\nas part of the Audit Plan.\nESAT officials informed us that they do conduct various validity checks on the data loaded into\nthe SAAS, but they do not verify that audit trails capture all that is required. The ESAT office\xe2\x80\x99s\ntesting of data sent to the SAAS is limited to only confirming receipt of data, conducting\ncharacter validity checks for each SAAS data field, and determining that the reporting feature\nwithin the SAAS is functioning properly. It does not conduct transaction-based tests on the data\nin the SAAS to ensure it is accurate, complete, and meets requirements. Specifically, the ESAT\noffice does not conduct tests to determine whether actions taken by users on the system correlate\nto events recorded in the SAAS audit trail, or that all required elements are being captured in\nSAAS.\nIn December 2011, we observed various transactions performed by application users on our three\nsample applications and analyzed the resulting audit trail data sent to the SAAS. None of the\nthree applications sent sufficient audit trail data to the SAAS that would allow for easily\nreconstructing events. The events and data elements in the SAAS generally paralleled those\ndescribed in the Audit Plan and, consequently, the same issues were present; key events and data\nelements were not captured. We also identified additional deficiencies through our transaction\ntesting. Figure 1 provides details of the audit trail weaknesses identified during our review.\nImprovements made to the AMS and the TDS subsequent to our testing are described in\nfootnotes 13 and 14.\n\n\n\n\n                                                                                             Page 7\n\x0c                     Audit Trails Did Not Comply With Standards or Fully Support\n                     Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n                Figure 1: Audit Trail Weaknesses of Sampled Applications\n\n                      Audit Weakness                                AMS13             TDS14         MeF System\n No one-to-one correlation exists between transactions\n accessing a tax record and events recorded in the                     \xe2\x88\x9a                \xe2\x88\x9a\n SAAS. For example, two returns from different years\n could be accessed, but only one record would appear in\n the SAAS.\n Required data elements were missing in the SAAS,\n such as type of tax form, tax period, and the success or              \xe2\x88\x9a                \xe2\x88\x9a                 \xe2\x88\x9a\n failure of the transaction.\n Additional data elements needed for UNAX\n investigations were missing in the SAAS, such as the                  \xe2\x88\x9a                \xe2\x88\x9a                 \xe2\x88\x9a\n type of taxpayer (individual or business).\n Events recorded in the SAAS were not sufficiently\n descriptive to determine what type of taxpayer                        \xe2\x88\x9a                \xe2\x88\x9a\n information had been accessed.\n Variable field data in SAAS audit trails did not follow\n a standard format and were mostly not relevant for                    \xe2\x88\x9a                \xe2\x88\x9a                 \xe2\x88\x9a\n investigative purposes.\n The timestamp was not correctly captured or was not\n synchronized.                                                         \xe2\x88\x9a                                  \xe2\x88\x9a\n The application name was not captured in the SAAS.                    \xe2\x88\x9a\n Accesses made through the AMS to information in\n other systems were not in the SAAS.                                   \xe2\x88\x9a\nSource: TIGTA analysis of SAAS audit trails.\n\nIn addition to not recording events and data elements that fully reflected the nature of the\ntransactions we observed, we also identified three other deficiencies where some events were not\ncaptured as they occurred, variable fields contained long strings of useless information, and\ntimestamps were inconsistent from application to application and may not have been properly\nsynchronized.\n\n\n\n13\n   Subsequent to our testing, the AMS was revised so that the AMS name is now captured along with its log entries\nin the SAAS.\n14\n   The TDS captured a data element for the success or failure of the transaction, but did not capture two other\nrequired data elements. Additionally, TDS staff stated that subsequent to our testing, they made improvements to\nthe SAAS audit trail, including that each transaction is captured separately (we confirmed that now a one-to-one\ncorrelation between transactions and SAAS records exists), and the variable field uses a standard format that\ncontains relevant information.\n                                                                                                          Page 8\n\x0c                  Audit Trails Did Not Comply With Standards or Fully Support\n                  Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\nOur testing showed that some events were not captured as they occurred. Specifically, we found\nno one-to-one correlation between transactions and the events that were recorded in the SAAS.\nFor example, when two returns from different tax years were accessed in the same user session,\nonly one record was written to the SAAS, and it did not capture the tax years. Additionally, the\nAMS allowed users to access information from other applications, and these accesses were not\nrecorded in the SAAS either by the AMS or the other applications. End users had access to this\nuntracked information even when they did not have approval to access the other applications\ndirectly.\nThe SAAS variable field, which was used to capture any relevant information not already\ncaptured in defined fields, contained some information. Prior to implementing separate fields for\ncertain required data elements, such as the type of tax form and the tax period, the variable field\ncould be used to capture that information. Additionally, applications may use the variable field\nto capture information that might be useful to investigations, such as taxpayer representative\ncontact information or fax numbers. However, most of the information captured was a string of\nprogramming code for the transaction or the document. The code sometimes contained no\nrelevant information at all and sometimes contained information that was relevant but\nunformatted (and thus not usable for investigative purposes). Much of this information was\nuseless and capturing it may strain computer capacity, which the IRS has indicated is an issue for\naudit trail data. Application owners told us they did this because initially no specific guidance\nexisted on how to put formatted information in the field.\nThe IRS mandates an authoritative time server be used for the purpose of synchronizing the\ncomputer system clocks (used for the event timestamp). Synchronization ensures proper\nsequencing of transactions recorded in audit trails, which is important in developing reliable and\nconvincing investigation results. However, the IRS policy is vague, and the IRS has been unable\nto provide detailed procedures regarding how this policy is supposed to be implemented. When\nasked, IRS personnel could not definitively state how to determine the proper time zone for the\ntimestamp, or what the authoritative time server is for synchronizing system clocks.\nConsequently, we noted discrepancies in audit event timestamps, which could thwart\ninvestigations and law enforcement activities. Until the IRS provides system owners with\nadequate procedures related to synchronization and timestamps, it cannot ensure that audit trail\nevents will be accurately time stamped and able to support UNAX investigations.\nThe weaknesses described in and after Figure 1 could have been identified by the IRS if adequate\naudit log validation and testing had been performed. Our analysis compared detailed records of\nobserved transactions conducted by application users to the audit trails from both the application\nand the SAAS. For example, through a simple input/output comparison, we found that the\nSAAS did not contain a record for every transaction that was input at the application level, and\nthat the SAAS record was not always sufficient to determine what document had been viewed\nand when. Without sufficient testing of audit log data, the IRS cannot confirm that actions\nperformed on a system can be reconstructed in support of a UNAX investigation.\n\n                                                                                            Page 9\n\x0c                  Audit Trails Did Not Comply With Standards or Fully Support\n                  Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\nIncomplete audit trail data and inconsistent timestamps hinder investigations and\naffect the IRS\xe2\x80\x99s ability to address the computer security material weakness\nThe SAAS cannot be a good audit trail enterprise solution as long as it continues to lack events,\ndata elements, and consistent timestamps. Insufficient audit trail data hinder investigations of\nIRS policy violations, suspicious activity, and unauthorized access to taxpayer information.\nEmployees may be less deterred from engaging in malicious or unauthorized activity if they\nbelieve their activities are not being monitored.\nImplementing a repeatable process to ensure that applications capture all required audit trail\nevents is also critical to the resolution of the audit trail subsection of the computer security\nmaterial weakness. The IRS has worked for years to develop an effective way to address this\nweakness and has made continuous incremental improvements. The IRS developed multiple\ncorrective actions to deal with audit trail weaknesses, one of which related to employing the\nSAAS to capture and report on audit trail data. The SAAS appeared to be accomplishing this\ncorrective action as the IRS had framed it and, consequently, IRS management deemed this\ncorrective action ready for closure. However, until a repeatable process is in place to ensure the\naudit trail data in the SAAS are complete and accurate, the IRS should not rely on SAAS data to\nsupport closure of the material weakness.\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 1: Ensure the ESAT office improves processes to ensure Audit Plans are\naccurate, complete, and compliant with requirements prior to signing the Audit Plans;\nspecifically, that meaningful events, required data elements, and descriptive variable information\nare captured in the SAAS audit trails for all applications. The ESAT office should facilitate\ndevelopment of application Audit Plans with collaboration between the application owner who\nprepares the Audit Plan and stakeholders of the audit trails, including the Cybersecurity\norganization and the TIGTA Office of Investigations. Comments and concerns of the\nstakeholders with respect to the Audit Plans should be documented and resolved.\n       Management\xe2\x80\x99s Response: The IRS partially agreed with this recommendation. The\n       ESAT office will ensure that Audit Plans are accurate, complete, and compliant with\n       Internal Revenue Manual 10.8.3 requirements prior to signing. The ESAT office will\n       facilitate the development of application Audit Plans in collaboration with the application\n       owner and stakeholders, including Cybersecurity and the TIGTA Office of Investigations.\n       Stakeholder comments and concerns about the Audit Plans will be documented and\n       resolved. The capture of meaningful events, required data elements, and descriptive\n       variable information for all applications will be improved in the SAAS audit trails as set\n       forth in the Audit Plans. However, the IRS disagreed that validation should be completed\n       prior to signing the Audit Plans.\n\n                                                                                           Page 10\n\x0c                  Audit Trails Did Not Comply With Standards or Fully Support\n                  Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n       Office of Audit Comment: We have concerns with the implementation date of this\n       corrective action by November 1, 2016, more than four years after the issuance of this\n       report. Without the collaboration of the stakeholders and improved processes to\n       document and resolve their comments and concerns while Audit Plans are being\n       developed, the IRS will have no assurance that the accuracy and completeness of Audit\n       Plans will improve in order for the compliance of the resulting audit trails to improve.\n       Therefore, we recommend immediate implementation of this corrective action. We are\n       also in agreement that the ESAT office\xe2\x80\x99s validation of audit trails would occur\n       subsequent to its signing of the Audit Plan, and did not intend otherwise in\n       Recommendation 1.\nRecommendation 2: Ensure the ESAT office improves processes to test audit trail data;\nspecifically, to validate that details from transactions entered into the application are complete\nand timestamps are consistent in the SAAS, not just that data are being successfully transmitted\nto the SAAS. Validation of audit trails should also be a collaborative effort with stakeholders,\nincluding the Cybersecurity organization and the TIGTA Office of Investigations. Comments of\nthe stakeholders with respect to audit trail testing should be documented.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The ESAT\n       office will improve processes to test audit trail data to validate that details from\n       transactions entered into the application are complete and timestamps are consistent in\n       the SAAS, not just that data are being successfully transmitted to the SAAS. Validation\n       of audit trails will also be a collaborative effort with stakeholders, including the\n       Cybersecurity organization and the TIGTA Office of Investigations. Stakeholder\n       comments and concerns about the audit trails testing will be documented.\nRecommendation 3: Ensure the ESAT office updates the Audit Plan template to include:\n1) a statement that audit trails must allow for subsequent forensic reconstruction and review of\nemployee user-initiated actions by identifying the element of account information\n(i.e., document, form, case file, or narrative) and which of the four actions (added, deleted,\nmodified, or researched) was taken on the account; 2) information about where audit trail testing\nresults and stakeholder comments regarding the Audit Plan development can be found; and\n3) a second ESAT approval on the Audit Plan to verify that sufficient testing of audit trails was\ncompleted.\n       Management\xe2\x80\x99s Response: The IRS partially agreed with this recommendation. The\n       information requested in part 1 of this recommendation is already included in the Audit\n       Plan template in accordance with Internal Revenue Manual 10.8.3. The IRS agrees the\n       ESAT office will improve processes to test audit trail data to validate that details from\n       transactions entered into the application are complete as specified in the Audit Plan.\n       Validation of audit trails will also be a collaborative effort with stakeholders, including\n       the Cybersecurity organization and the TIGTA Office of Investigations. Stakeholder\n       comments and concerns about audit trail testing will be documented and retained. The\n\n                                                                                          Page 11\n\x0c                  Audit Trails Did Not Comply With Standards or Fully Support\n                  Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n       IRS disagreed that the Audit Plan template should be updated to include information\n       about where stakeholder comments regarding the Audit Plan development and the audit\n       trail testing results can be found. The IRS also disagreed that a second ESAT approval\n       should be conducted for the Audit Plan to indicate testing was completed. However, any\n       changes to the Audit Plans determined as necessary from test results analysis will be\n       addressed immediately.\n       Office of Audit Comment: The IRS disagreed to update the Audit Plan template to\n       include information regarding audit trail testing and proposed no alternative solution or\n       location. We continue to recommend that the ESAT office\xe2\x80\x99s improved audit trail testing\n       processes formalize a location where test results and the ESAT office\xe2\x80\x99s validation of the\n       audit trail data can be found. Currently, the IRS is using ESAT-approved Audit Plans to\n       close audit trail weaknesses at the application level and at the IRS organizational level.\n       However, ESAT-approved Audit Plans provide no assurance that the audit trails are\n       compliant with requirements. Those who test audit trail controls at the application and\n       organization levels during security control assessments or annual testing of controls\n       should be instructed to base the status of the audit trail controls on ESAT-validated audit\n       trails, not on ESAT-approved Audit Plans. We also have concerns that the IRS has set\n       the implementation date for its improvement of audit trail testing processes to be\n       November 1, 2016, and believe a shorter time frame should be set. Until processes are in\n       place for proper testing and the ESAT office\xe2\x80\x99s validation of audit trails, audit\n       trail-specific weaknesses at the application or organizational level should not be closed.\nRecommendation 4: Revise policies and procedures to ensure timestamp guidance is clear\nand readily available to application owners. Guidance should include which devices serve as\nauthoritative time servers for synchronization, how to configure local systems to synchronize\nwith authoritative time servers, and where to locate assistance if needed.\n       Management\xe2\x80\x99s Response: The IRS partially agreed with this recommendation.\n       Guidance that describes which devices serve as authoritative time servers and how local\n       systems are configured to align with those servers did exist, but was not readily available\n       for the auditors. The IRS will review existing policies and procedures for timestamps\n       and ensure the guidance is clear and available to all stakeholders.\n       Office of Audit Comment: We continue to recommend the IRS ensures that its\n       policies and procedures related to timestamp guidance be revised, not just reviewed with\n       no assurance that they will be revised. The IRS needs to adequately document or log the\n       actual time zone in the Audit Plan or within the audit trail. The current process leaves\n       time zones up to interpretation, which can be detrimental to any administrative or\n       criminal investigation, and resulting adjudications of potential UNAX cases.\n\n\n\n\n                                                                                          Page 12\n\x0c                  Audit Trails Did Not Comply With Standards or Fully Support\n                  Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to evaluate the IRS\xe2\x80\x99s efforts to implement effective\nUNAX audit trails for information systems that store and process taxpayer data. To accomplish\nour objective, we:\nI.     Determined whether the IRS has an effective process to comply with application audit\n       trail requirements in the preparation of Audit Plans and sending audit trail information to\n       the SAAS.\n       A. Identified and reviewed policies, procedures, and guidelines related to the audit trail\n          process.\n       B. Interviewed the Cybersecurity organization\xe2\x80\x99s ESAT Project Management Office\n          (hereafter referred to as the ESAT Office) personnel and other Cybersecurity\n          organization personnel to document and assess the procedures for preparing and\n          approving Audit Plans, and verifying the completeness and accuracy of data sent to\n          the SAAS.\n       C. Evaluated the IRS\xe2\x80\x99s progress towards implementing adequate audit trails for its\n          population of applications that contain taxpayer data.\nII.    Determined if either the application project office or the application owner has completed\n       and approved an Audit Plan in compliance with ESAT office guidance, and the Audit\n       Plan accurately identifies all required auditable events.\n       A. Identified the population of applications in use by the IRS and selected a judgmental\n          sample for further review and testing.\n          1. Obtained a list of applications dated July 27, 2011, indicating the TIGTA Office\n             of Investigations\xe2\x80\x99 and the ESAT office\xe2\x80\x99s priorities.\n          2. Selected a judgmental sample of three applications for detailed testing from\n             199 applications identified by the TIGTA Office of Investigations. Consideration\n             for selection included whether the application processes and stores taxpayer data,\n             has completed an Audit Plan, is sending audit trail information to the SAAS, has\n             been identified to support the closure of the computer security material weakness\n             for audit trails, and is categorized as high priority by the TIGTA Office of\n             Investigations and/or the ESAT office. We selected a judgmental sample due to\n             staff resource constraints, and we did not plan to project our results.\n\n\n                                                                                           Page 13\n\x0c                  Audit Trails Did Not Comply With Standards or Fully Support\n                  Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n       B. Obtained and reviewed core record layouts of audit trails and IRS employee training\n          materials to identify transactions that read, write, execute, modify, or delete taxpayer\n          accounts.\n       C. Interviewed front-line employees or managers to ensure application events that read,\n          write, execute, modify, or delete taxpayer data are identified in the Audit Plan.\n       D. Determined whether the Audit Plan accurately addresses all taxpayer transaction\n          capabilities (read, write, execute, modify, delete) as identified in interviews, training\n          records, core record layouts, and variable definitions.\n       E. For issues identified, interviewed appropriate personnel and/or obtained\n          documentation to determine the cause.\nIII.   Determined whether the applications selected for review capture a complete and accurate\n       audit trail of information necessary to support forensic investigation of transactions\n       involving taxpayer information.\n       A. Conducted field observations of different types of transactions being input to the\n          sample applications and recorded the information.\n       B. Obtained application audit trails from the application owner or project office, along\n          with SAAS audit trails, to verify that field observation transactions were complete\n          and accurately captured in the audit trails.\n           1. Verified that the elements for each of the transactions executed during field\n              observations matched the audit trail transaction elements.\n           2. For those transactions not executed during field observations, verified through\n              review of the audit trails that they were being captured. If additional transactions\n              that read, write, execute, modify, or delete taxpayer information were not\n              identified in the sample audit trail extracts, we contacted the application owner or\n              project office to provide supporting evidence that these transactions were being\n              captured in audit trails.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: IRS policies, procedures, and practices for\ncapturing, storing, transmitting, reviewing, and retaining audit trails. We evaluated these\ncontrols by reviewing IRS policy and procedure documents, interviewing IRS personnel, and\nobserving various transactions performed by application users on our three sample applications\nand analyzing the resulting audit trail data.\n\n                                                                                            Page 14\n\x0c                 Audit Trails Did Not Comply With Standards or Fully Support\n                 Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nMyron L. Gulley, Senior Auditor\nMary Jankowski, Senior Auditor\nLouis Lee, Senior Auditor\nSam Mettauer, Senior Auditor\n\n\n\n\n                                                                                     Page 15\n\x0c                Audit Trails Did Not Comply With Standards or Fully Support\n                Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n                                                                 Appendix III\n\n                       Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                       Page 16\n\x0c                     Audit Trails Did Not Comply With Standards or Fully Support\n                     Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n                                                                                          Appendix IV\n\n                          Descriptions of Applications\n\n Application                       Description\n\n Account Management                The purpose of the AMS is to provide an integrated approach to view,\n Services                          access, update, and manage taxpayer accounts by providing IRS\n                                   employees with the tools necessary to access information quickly and\n                                   accurately in response to complex customer inquiries and to update\n                                   taxpayer accounts on demand. Functionality includes inventory\n                                   management; next case delivery; nationwide history and follow-ups;\n                                   correspondence received from taxpayers concerning lost, stolen,\n                                   destroyed, or returned refunds; immediate print capabilities to fax to\n                                   taxpayers; and generation of electronic referrals. As of March 2012,\n                                   the AMS had processed more than five million transactions since it\n                                   was implemented in September 2009.\n\n Modernized e-File                 The MeF system runs on a modernized, Internet-based electronic file\n                                   platform. Its purpose is to provide a single method for filing all\n                                   business and individual tax returns, forms, and schedules via the\n                                   Internet. The MeF system provides real-time processing of tax returns\n                                   that improves error detection, standardizes business rules, and expedites\n                                   acknowledgments. MeF system volume has been increasing due to the\n                                   phasing in of its components. For Calendar Year 2012 (as of March),\n                                   the MeF system had accepted more than 59 million individual and\n                                   business returns (out of about 83 million returns submitted).\n\n Transcript Delivery System        The purpose of the TDS is to provide self-service for return and account\n                                   information requests by external customers. The TDS automates the\n                                   validation, processing, and delivery of taxpayer information to the\n                                   authorized third-party user. TDS transactions include self-service\n                                   electronic communication, where the user can request and receive a\n                                   transcript product interactively. The user will have the ability to specify\n                                   an information delivery method by systematic responses, automatic fax,\n                                   or postal mail. As of March 2012, the TDS had processed more than\n                                   144 million transactions since it was implemented.\nSource: TIGTA, Ref. No. 2008-20-053, The Account Management Services Project Is Meeting Its Development Goals\npp. 1, 8, 52 (Mar. 2008); TIGTA, Ref. No. 2011-40-131, Low Participation and Tax Return Volumes Continue to\nHinder the Transition of Individual Income Tax Returns to the Modernized e-File System p. 1 (Sept. 2011); the\nIRS As-Built Architecture website; and the March 2012 Modernization and Information Technology Services\nBusiness Value Chart.\n\n\n                                                                                                     Page 17\n\x0c     Audit Trails Did Not Comply With Standards or Fully Support\n     Investigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n                                                      Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                            Page 18\n\x0cAudit Trails Did Not Comply With Standards or Fully Support\nInvestigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n\n                                                       Page 19\n\x0cAudit Trails Did Not Comply With Standards or Fully Support\nInvestigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n\n                                                       Page 20\n\x0cAudit Trails Did Not Comply With Standards or Fully Support\nInvestigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n\n                                                       Page 21\n\x0cAudit Trails Did Not Comply With Standards or Fully Support\nInvestigations of Unauthorized Disclosure of Taxpayer Data\n\n\n\n\n                                                       Page 22\n\x0c'